5 Replies Latest reply on Jan 31, 2014 8:42 AM by asabban

    Unknown CA's in MWG 7.3

    jspanitz

      What's the best way to let McAfee know about an valid but unknown CA?  We are using the managed list and have found a few certs that are missing.  Strangely, they aren't exactly new certs either.  We have manually added them to our additional static list, but it seems like there should be a way to submit these right from the console (or it should do it automatically).

       

      John

        • 1. Re: Unknown CA's in MWG 7.3
          asabban

          Hey John,

           

          the easiest approach is to provide some example URLs of websites which are blocked because of missing certificates. Only with example URLs it is possible for me to build and validate the complete certificate chain and all all required information such as CRL and OCSP URLs. If we only have access to a missing CA it would be beneficial to at least get the certificate itself, rather than the subject name, as that does not allow us to correctly identify what is missing.

           

          The original list was built on what we knew from browsers and previous MWG versions. The list is mainly updated once feedback is received, from customers, internal tests or security notifications.

           

          If you provide me with the things you miss (here or via PM or mail) I will have a look and see what we can do.

           

          Best,

          ANdre

          • 2. Re: Unknown CA's in MWG 7.3
            jspanitz

            Ok, the site we current have issue with is https://tcg.loyaltypro.com

             

            Thank you for outlining the process.  I wish there were a way to submit these right from MWG though.

            • 3. Re: Unknown CA's in MWG 7.3
              asabban

              Hello,

               

              thanks for the sample URL. The server has a pretty common configuration error: It only serves the server certificate upon request, it does not provide the certificate chain which helps the client to build a trust relationship. This can be seen at:

               

              http://www.sslshopper.com/ssl-checker.html#hostname=https://tcg.loyaltypro.com/

               

              There is a note that says

               

              The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following DigiCert's Certificate Installation Instructions for your server platform. Pay attention to the parts about Intermediate certificates.

               

              This is basically not a very big problem and - unfortunately - a common mistake for website operators. For servers not sending the certificate chain it is required for the client (Browser or MWG) to know about all the certificates which are part of the chain. Depending on the CA sometimes there is only the RootCA marked as trusted in the browser, in this case there is no problem if the intermediate CAs are unknown as they have been signed by a t rusted CA - access is given. If the chain is missing and the client does not know all intermediate CAs it is not possible for the browser to find the Root CA which is the the trusted instance. In this case access is denied.

               

              This happened in this case. We knew the Root CA but because the server did not send the chain we were unable to find the correct Root CA. I have added the intermediate CA so access should now be possible.

               

              Best,

              Andre

              • 4. Re: Unknown CA's in MWG 7.3
                jspanitz

                The joys of SSL scanning.  Is there a way to have MWG spit back a better (more detailed) block message?  In other words, to me this looked like a missing cert when in fact the web server didn't return the proper ssl cert chain.  Not sure if it can be done, but would really help to quickly troubleshoot the issues.

                • 5. Re: Unknown CA's in MWG 7.3
                  asabban

                  Hey John,

                   

                  there is not really a way for MWG to give a better response. MWG tries to find a trusted CA by following chain. The only thing MWG notices is that it cannot build a certificate chain, it cannot decide whether this is due to a CA that is missing locally or a missing chain from the servers. It would be nice if MWG was able to display the chain details on a block page to give you some idea about the missing certificates or even a button to add it, but currently there is no functionality that could do this for you.

                   

                  In the end even if the server sends a wrong response all you want is allow access for your users, so the best approach is to report the sample URL and we include the missing certs. The good thing is that we also include all CRL/OCSP URLs in that case.

                   

                  Best,

                  Andre

                  1 of 1 people found this helpful